0% found this document useful (0 votes)
26 views25 pages

sp800 53r4compliancy v2 2

NIST SP 800-53 is an NIST Framework that focuses on enterprise security controls. It provides a comprehensive resource for federal government and institutions on how to secure their network.

Uploaded by

Mark Pineda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
26 views25 pages

sp800 53r4compliancy v2 2

NIST SP 800-53 is an NIST Framework that focuses on enterprise security controls. It provides a comprehensive resource for federal government and institutions on how to secure their network.

Uploaded by

Mark Pineda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

Security Standards Compliance

NIST SP 800-53 Revision 4


(Security and Privacy Controls for Federal Information Systems and Organizations)
--
Trend Micro Products
(Deep Security)
-
Version 2.0

Document TMIC-004-N Version 2.0, September 2015 1


Security and Privacy Controls for Federal Information Systems and Organizations - NIST SP 800-53 Revision 4
Security Standards Compliance -- Trend Micro Products (Deep Security)
References: A. Federal Information Security Management Act, (FISMA) 2002
B. Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publication 800-53, Rev. 4, 15 Jan 2014
C. Assessing Security and Privacy Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans, NIST SP 800-53A,
Rev. 4, Dec 2014
D. Security Categorization and Control Selection for National Security Systems, CNSS Instruction 1253, 27 Mar 2014
E. National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology Products No. 11 (CNSSP #11), 10 Jun 2013
F. FedRAMP Security Controls Baseline (for Low and Moderate impact systems). Ver. 2, 4 Jun 2014
G. ISO / IEC 15408, Common Criteria for Information Technology Security Evaluation, Ver 3.1 Rev. 4, Sep 2012
H. Security Standards Compliance, SP 800-53 Rev.4 (ipd) --Trend Micro Products (Deep Security and SecureCloud), Ver. 1.1, Prepared by BD Pro, 24 Aug 2011
I. Securing Large Scale Virtual Server Environments in US Government Enterprises, Trend Micro Whitepaper, Ver. 1, Prepared by BD Pro, 29 Nov 2011
The FISMA Implementation Project includes development and promotion of key security standards and guidelines to support the implementation of and
compliance of US government agencies with FISMA, addressing: (1) Categorizing information and information systems by mission impact; (2) Minimum security
requirements; (3) Selecting appropriate security controls; (4) Guidance for assessing security controls and determining security control effectiveness; (5)
Guidance for the security authorization of information systems; and (6) Monitoring the security controls and the security authorization of systems.
The key security standard and guidance document being used for FISMA implementation and compliance is NIST SP 800-53 Revision 4.
This document is an update to the 2011 whitepaper and considers new controls in the current edition of the NIST standard.
The product-specific compliancy details are needed by managers, security systems engineers and risk analysts in order that they may select and architect cost-
effective secure solutions that will protect their Enterprise systems and sensitive information assets from the modern hostile threat environment. Revision 4 of
SP 800-53 is the first to include mappings of security controls to ISO 15408 Security Functional Controls (SFRs) and Security Assurance Requirements (SARs).
1
Based on these mappings, the “P” context compliancy statements include those related to the SFRs and SARs used in most recent CC evaluations: Deep
2
Security v9.5 -- EAL2 evaluation in progress .
Security products acquired by the US Government agencies for National Security Systems are required to have Common Criteria certification in accordance with
CNSSP #11. This document also identifies those security controls which are included in CNSSI 1253 baselines for National Security Systems and in FedRAMP
baselines for Cloud Service Providers (CSP).
Virtualized servers and cloud computing environments, are being implemented throughout government enterprises and by their CSPs. They face many of the
same security challenges as their physical counterparts and additionally have to contend with a number of security concerns specific to the virtual environment
such as: inter VM traffic, resource contention, blurring of system and network security boundaries, mixed trust levels, security zoning, and separation of duties. In
particular, organizations need to specifically protect their sensitive information assets in the virtualized multi-tenant cloud environment where the physical storage
locations are unknown to them and distributed across the cloud.
The NIST SP 800-53 standard provide a foundation of security controls for incorporating into an organization’s overall security requirements baseline for
mitigating risk and improving systems and application security in their physical and virtualized environments. Many of these organizations using the NIST security
requirements also have obligations to be able to demonstrate compliance with the SP 800-53 security requirements. From a security product vendor’s viewpoint,
there is a need to clearly demonstrate to users of their products, how their products will, help satisfy the SP 800-53 enterprise and product specific security
requirements. In this document we have indicated how SP 800-53 compliance is addressed by Trend Micro Deep Security.

1
The CC evaluation Security Targets also included Trend Micro product specific Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) related to
Intrusion Detection and Anti-Malware. These SFRs and SARs are not included in the SP 800-53 r4 Appendix H mapping table.
2
. The current Common Criteria evaluation of Deep Security v9.5 is an update to the earlier evaluations to EAL4+ for Deep Security v7.5 SP2 (Certification Report #383-4-152) and
for Deep Security v8.0 SP1 (Maintenance Report # 383-7-79-MR).
Document TMIC-004-N Version 2.0, September 2015 2
One of the major challenges is for government enterprises and their service providers to remain compliant with the SP 800-53 standard in the constantly
changing threat environment. One objective of this Trend Micro document is to provide focused guidance on how Trend Micro Deep Security can effectively help
deal with these ongoing challenges. The SP 800-53 security control baselines and priorities are leveraged to provide such focus in this guidance. This Prioritized
Approach identifies the applicable SP 800-53 security controls baselines (L, M and H); the implementation priorities (P0, P1, P2, and P4). These details will help
enterprises and their service provider partners implement a continuous improvement process to protect critical assets data against the highest risk factors and
today’s escalating threats. The reader is also referred to the above referenced Trend Micro whitepaper for additional guidance related to virtualization
implementation.
The Deep Security product provides, in both virtualized and physical environments, the combined functionality of a Common Criteria EAL2 validated Firewall,
Anti-Virus, Deep Packet Inspection, Integrity Monitoring, Log Inspection, Role Based Access Control (RBAC) and support for multi-tenant virtual environments.
The primary Deep Security modules include:
Deep Security Manager is a centralized Web-based management console which administrators use to configure security policy and deploy protection to the enforcement
components: the Deep Security Virtual Appliance and the Deep Security Agent.
Firewall Module centralizes management of server firewall policy using a bidirectional stateful firewall. Supports virtual machine zoning and prevents denial of service
attacks. Provides broad coverage for all IP-based protocols and frame types as well as fine-grained filtering for ports and IP and MAC addresses.
Anti-malware Module provides both real-time and on-demand protection against file-based threats, including threats commonly referred to as malware, viruses, Trojans,
and spyware. To identify threats, Anti-Malware checks files against a comprehensive threat database, portions of which are hosted on servers or kept locally as updatable
patterns. Anti-Malware also checks files for certain characteristics, such as compression and known exploit code. To address threats, Anti-Malware selectively performs
actions that contain and remove the threats while minimizing system impact. Anti-Malware can clean, delete, or quarantine malicious files. It can also terminate processes
and delete other system objects that are associated with identified threats.
Recommendation Scans identifies known vulnerabilities. The operation scans the operating system and also installed applications. Recommendation Scans automate
scanning of systems and patch levels against the latest Critical Vulnerability and Exposure (CVE) database, to automatically apply Deep Security signatures, engines,
patterns, and rules/filters to detect/prevent exploitation of these vulnerabilities and to produce audit logs and reports which can be used to support a continuous monitoring
program or audits.
Integrity Monitoring Module detects and reports malicious and unexpected changes to files and systems registry in real time, and is available in agentless form factor.
Provides administrators with the ability to track both authorized and unauthorized changes made to the instance. The ability to detect unauthorized changes is a critical
component in a cloud security strategy as it provides the visibility into changes that could indicate the compromise of an instance.
Log Inspection Module provides visibility into important security events buried in log files. Optimizes the identification of important security events buried in multiple log
entries across the data center. Forwards suspicious events to a SIEM system or centralized logging server for correlation, reporting and archiving. Leverages and
enhances open-source software available at OSSEC.
Intrusion Prevention Module is both an Intrusion Detections System (IDS) and an Intrusion Prevention System (IPS) which protects computers from being exploited by
attacks against known and zero-day vulnerability attacks as well as against SQL injections attacks, cross-site scripting attacks, and other web application vulnerabilities.
Shields vulnerabilities until code fixes can be completed. It identifies malicious software accessing the network and increases visibility into, or control over, applications
accessing the network. Intrusion Prevention prevents attacks by detecting malicious instructions in network traffic and dropping relevant packets.
Web Reputation Module protects against web threats by blocking access to malicious URLs. Deep Security uses Trend Micro's Web security databases from Smart
Protection Network sources to check the reputation of Web sites that users are attempting to access. The Web site's reputation is correlated with the specific Web
reputation policy enforced on the computer. Depending on the Web Reputation Security Level being enforced, Deep Security will either block or allow access to the URL.

Document TMIC-004-N Version 2.0, September 2015 3


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

AC-6 Access Control / Least Privilege


AC-6 (4) Access Control / Least Privilege / Separate Processing Domains Deep Security satisfies this requirement by providing fine grained allocation of user
privileges through the implementation of firewall rules/filters on specific virtual machines
The information system provides separate processing domains to enable finer-grained or physical machines to create separate processing domains/zones. This allows
allocation of user privileges. additional privileges within a virtual machine while restricting privileges to other virtual
Supplemental Guidance: machines or to the underlying actual machine.
Providing separate processing domains for finer-grained allocation of user privileges
includes, for example: (i) using virtualization techniques to allow additional privileges
within a virtual machine while restricting privileges to other virtual machines or to the
underlying actual machine; (ii) employing hardware and/or software domain separation
mechanisms; and (iii) implementing separate physical domains. Related controls: AC-4,
SC-3, SC-30, SC-32.

AU-2 Audit and Accountability / Auditable Events


AU-2 Audit Events P1 Deep Security supports this requirement by enabling organizations to audit and log
LM security related events through inspection of host-based network traffic for malicious
The organization: activity, key files for changes, and system logs for indicators of suspicious activity. Logs
a) Determines that the information system is capable of auditing the following events: H include for example, time stamps, source and destination addresses, identifiers, event
[Assignment: organization-defined auditable events]; CNSSI descriptions, success/fail indications, rules involved.
b) Coordinates the security audit function with other organizational entities requiring
audit-related information to enhance mutual support and to help guide the selection of FedRAMP Security event information can be integrated with an organization's SIEM product if
auditable events; required.
c) Provides a rationale for why the auditable events are deemed to be adequate to
support after-the- fact investigations of security incidents; and
d) Determines that the following events are to be audited within the information system:
[Assignment: organization-defined audited events (the subset of the auditable events
defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each
identified event].
Supplemental Guidance:
An event is any observable occurrence in an organizational information system.
Organizations identify audit events as those events which are significant and relevant to
the security of information systems and the environments in which those systems operate
in order to meet specific and ongoing audit needs. Audit events can include, for example,
password changes, failed logons, or failed accesses related to information systems,
administrative privilege usage, PIV credential usage, or third-party credential usage. In
determining the set of auditable events, organizations consider the auditing appropriate for
each of the security controls to be implemented. To balance auditing requirements with
other information system needs, this control also requires identifying that subset of
auditable events that are audited at a given point in time. For example, organizations may
determine that information systems must have the capability to log every file access both
successful and unsuccessful, but not activate that capability except for specific
circumstances due to the potential burden on system performance. Auditing requirements,
including the need for auditable events, may be referenced in other security controls and
control enhancements. Organizations also include auditable events that are required by
applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Audit records can be generated at various levels of abstraction, including at the packet
level as information traverses the network. Selecting the appropriate level of abstraction is
a critical aspect of an audit capability and can facilitate the identification of root causes to
problems. Organizations consider in the definition of auditable events, the auditing
necessary to cover related events such as the steps in distributed, transaction-based
processes (e.g., processes that are distributed across multiple organizations) and actions
that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12,
MA-4, MP-2, MP-4, SI-4.

Document TMIC-004-N Version 2.0 September 2015 4


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

AU-3 Audit and Accountability / Content of Audit Records


AU-3 Content of Audit Records P1 Deep Security supports this requirement by enabling organizations to audit and log security
LMH related events through inspection of host-based network traffic for malicious activity, key
The information system generates audit records containing information that establishes files for changes, and system logs for indicators of suspicious activity. Logs include for
what type of event occurred, when the event occurred, where the event occurred, the CNSSI example, time stamps, source and destination addresses, identifiers, event descriptions,
source of the event, the outcome of the event, and the identity of any individuals or FedRAMP success/fail indications, rules involved. Security event information can be integrated with an
subjects associated with the event. organization's SIEM product if required.
Supplemental Guidance:
Audit record content that may be necessary to satisfy the requirement of this control,
includes, for example, time stamps, source and destination addresses, user/process
identifiers, event descriptions, success/fail indications, filenames involved, and access
control or flow control rules invoked. Event outcomes can include indicators of event
success or failure and event-specific results (e.g., the security state of the information
system after the event occurred). Related controls: AU-2, AU-8, AU- 12, SI-11.
AU-3 (1) Content of Audit Records / Additional Audit Information P1 Deep Security supports compliance with this requirement through the defined audit events
MH and the ability to carry out specific queries against the audit records simplifying the ability to
The information system generates audit records containing the following additional locate the information of interest. In addition, deep packet inspection permits the capture of
information: [Assignment: organization- defined additional, more detailed information]. CNSSI
event data, at the packet level, which can be analyzed for additional audit data relating to
Supplemental Guidance: FedRAMP the security event
Detailed information that organizations may consider in audit records includes, for
example, full text recording of privileged commands or the individual identities of group
account users. Organizations consider limiting the additional audit information to only that
information explicitly needed for specific audit requirements. This facilitates the use of
audit trails and audit logs by not including information that could potentially be misleading
or could make it more difficult to locate information of interest.
AU-3 (2) Content of Audit Records / Centralized Management of Planned Audit Record P1 Deep Security supports this requirement by providing centralized management and
Content H configuration of security events, rules and policies. Event information can be integrated with
The information system provides centralized management and configuration of the content an organization's SIEM product.
CNSSI
to be captured in audit records generated by [Assignment: organization-defined information
system components].
Supplemental Guidance:
This control enhancement requires that the content to be captured in audit records be
configured from a central location (necessitating automation). Organizations coordinate
the selection of required audit content to support the centralized management and
configuration capability provided by the information system. Related controls: AU-6, AU-7.

AU-6 Audit and Accountability / Audit Review, Analysis and Reporting


AU-6 Audit Review, Analysis, and Reporting P1 The Deep Security Log Inspection capability provides visibility into important security
The organization: LMH events buried in log files, and creates audit trails of administrator activity. Optimizes the
a) Reviews and analyzes information system audit records [Assignment: organization-
identification of important security events buried in multiple log entries across the data
CNSSI center. Forwards suspicious events to a SIEM system or centralized logging server for
defined frequency] for indications of [Assignment: organization-defined inappropriate FedRAMP
or unusual activity]; and correlation, reporting and archiving.
b) Reports findings to [Assignment: organization-defined personnel or roles]. Deep Security also maintains information regarding the administration and management
Supplemental Guidance: of its security functions as part of the audit records.
Audit review, analysis, and reporting covers information security-related auditing
performed by organizations including, for example, auditing that results from monitoring of
account usage, remote access, wireless connectivity, mobile device connection,
configuration settings, system component inventory, use of maintenance tools and
nonlocal maintenance, physical access, temperature and humidity, equipment delivery
and removal, communications at the information system boundaries, use of mobile code,
and use of VoIP. Findings can be reported to organizational entities that include, for
example, incident response team, help desk, information security group/department. If
organizations are prohibited from reviewing and analyzing audit information or unable to
conduct such activities (e.g., in certain national security applications or systems), the
review/analysis may be carried out by other organizations granted such authority. Related
controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3,
IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC- 7, SC-18, SC-19, SI-
3, SI-4, SI-7.

Document TMIC-004-N Version 2.0 September 2015 5


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

AU-6 (1) Audit Review, Analysis, and Reporting / Process Integration P1 Deep Security, Recommendation Scan supports this requirement by allowing
The organization employs automated mechanisms to integrate audit review, analysis, and MH organizations to automate scanning of systems and patch levels against the latest Critical
reporting processes to support organizational processes for investigation and response to CNSSI Vulnerability and Exposure (CVE) database, to automatically apply Deep Security
suspicious activities. rules/filters to detect/prevent exploitation of these vulnerabilities and to produce audit logs
FedRAMP and reports which can be used to support a continuous monitoring program or audits.
Supplemental Guidance:
Organizational processes benefiting from integrated audit review, analysis, and reporting
include, for example, incident response, continuous monitoring, contingency planning, and
Inspector General audits. Related controls: AU-12, PM-7.
AU-6 (5) Audit Review, Analysis, and Reporting / Integration / Scanning and Monitoring P1 Deep Security supports the ability to centrally review and correlate audit data with threat
Capabilities H detection (scanning and monitoring) data, by providing interfaces to either a syslog server
or input directly to an SIEM system to enhance the ability to identify inappropriate or
The organization integrates analysis of audit records with analysis of [Selection (one or CNSSI unusual activity.
more): vulnerability scanning information; performance data; information system
monitoring information; [Assignment: organization-defined data/information collected from The Deep Security, Log Inspection capability provides scanning and visibility into
other sources]] to further enhance the ability to identify inappropriate or unusual activity. important security events buried in log files, and creates audit trails of administrator
activity. Optimizes the identification of important security events buried in multiple log
Supplemental Guidance: entries across the data center. Forwards suspicious events to a SIEM system or
This control enhancement does not require vulnerability scanning, the generation of centralized logging server for correlation, reporting and archiving.
performance data, or information system monitoring. Rather, the enhancement requires
that the analysis of information being otherwise produced in these areas is integrated with
the analysis of audit information. Security Event and Information Management System
tools can facilitate audit record aggregation/consolidation from multiple information system
components as well as audit record correlation and analysis. The use of standardized
audit record analysis scripts developed by organizations (with localized script adjustments,
as necessary) provides more cost-effective approaches for analyzing audit record
information collected. The correlation of audit record information with vulnerability
scanning information is important in determining the veracity of vulnerability scans and
correlating attack detection events with scanning results. Correlation with performance
data can help uncover denial of service attacks or cyber-attacks resulting in unauthorized
use of resources. Correlation with system monitoring information can assist in uncovering
attacks and in better relating audit information to operational situations. Related controls:
AU-12, IR-4, RA-5.

CA-2 Security Assessment and Authorization / Security Assessments


CA-2 (2) Security Assessments / Specialized Assessments P2 Deep Security Recommendation Scan supports this requirement by allowing organizations
The organization includes as part of security control assessments, [Assignment: H to automate scanning of systems and patch levels against the latest Critical Vulnerability
organization-defined frequency], [Selection: announced; unannounced], [Selection (one or and Exposure (CVE) database, to automatically apply Deep Security rules/filters to
CNSSI detect/prevent exploitation of these vulnerabilities and to produce audit logs and reports
more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat FedRAMP which can be used to support a continuous monitoring program or audits.
assessment; performance/load testing; [Assignment: organization-defined other forms of
security assessment]].
Supplemental Guidance:
Organizations can employ information system monitoring, insider threat assessments,
malicious user testing, and other forms of testing (e.g., verification and validation) to
improve readiness by exercising organizational capabilities and indicating current
performance levels as a means of focusing actions to improve security. Organizations
conduct assessment activities in accordance with applicable federal laws, Executive
Orders, directives, policies, regulations, and standards. Authorizing officials approve the
assessment methods in coordination with the organizational risk executive function.
Organizations can incorporate vulnerabilities uncovered during assessments into
vulnerability remediation processes. Related controls: PE-3, SI-2.

Document TMIC-004-N Version 2.0 September 2015 6


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

CA-7 Security Assessment and Authorization / Continuous Monitoring


CA-7 Security Assessment and Authorization / Continuous Monitoring P2 Deep Security Recommendation Scan supports this requirement by allowing organizations
The organization develops a continuous monitoring strategy and implements a continuous LMH to automate scanning of systems and patch levels against the latest Critical Vulnerability
monitoring program that includes: and Exposure (CVE) database, to automatically apply Deep Security rules/filters to
CNSSI detect/prevent exploitation of these vulnerabilities and to produce audit logs and reports
a) Establishment of [Assignment: organization-defined metrics] to be monitored; FedRAMP which can be used to support a continuous monitoring program or audits.
b) Establishment of [Assignment: organization-defined frequencies] for monitoring and
[Assignment: organization-defined frequencies] for assessments supporting such
monitoring;
c) Ongoing security control assessments in accordance with the organizational
continuous monitoring strategy;
d) Ongoing security status monitoring of organization-defined metrics in accordance with
the organizational continuous monitoring strategy;
e) Correlation and analysis of security-related information generated by assessments and
monitoring;
f) Response actions to address results of the analysis of security-related information;
and
g) Reporting the security status of organization and the information system to
[Assignment: organization-defined personnel or roles] [Assignment: organization-
defined frequency].
Supplemental Guidance:
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities,
and information security to support organizational risk management decisions. The terms
continuous and ongoing imply that organizations assess/analyze security controls and
information security-related risks at a frequency sufficient to support organizational risk-
based decisions. The results of continuous monitoring programs generate appropriate risk
response actions by organizations. Continuous monitoring programs also allow
organizations to maintain the security authorizations of information systems and common
controls over time in highly dynamic environments of operation with changing
mission/business needs, threats, vulnerabilities, and technologies. Having access to
security-related information on a continuing basis through reports/dashboards gives
organizational officials the capability to make more effective and timely risk management
decisions, including ongoing security authorization decisions. Automation supports more
frequent updates to security authorization packages, hardware/software/firmware
inventories, and other system information. Effectiveness is further enhanced when
continuous monitoring outputs are formatted to provide information that is specific,
measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in
accordance with the security categories of information systems. Related controls: CA-2,
CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4.
CM-2 Configuration Management / Baseline Configuration
CM-2 (2) Configuration Management / Baseline Configuration / Automation Support for P1 The Deep Security solution supports compliance with this requirement by the Integrity
Accuracy / Currency H Monitoring and Recommendation Scans functionality. Integrity Monitoring ensures that
critical security files are monitored for changes as part of an automated process to ensure
The organization employs automated mechanisms to maintain an up-to-date, complete, CNSSI accuracy and availability of these files. The Recommendation Scanning engine is a
accurate, and readily available baseline configuration of the information system. FedRAMP framework that exists within Deep Security Manager, which allows the system to suggest
Supplemental Guidance: and automatically assign security configuration. The goal is to make configuration of hosts
Automated mechanisms that help organizations maintain consistent baseline easier and only assign security required to protect that host.
configurations for information systems include, for example, hardware and software
inventory tools, configuration management tools, and network management tools. Such
tools can be deployed and/or allocated as common controls, at the information system
level, or at the operating system or component level (e.g., on workstations, servers,
notebook computers, network components, or mobile devices). Tools can be used, for
example, to track version numbers on operating system applications, types of software
installed, and current patch levels. This control enhancement can be satisfied by the
implementation of CM-8 (2) for organizations that choose to combine information system
component inventory and baseline configuration activities. Related controls: CM-7, RA-5.

Document TMIC-004-N Version 2.0 September 2015 7


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

CM-2 (6) Configuration Management / Baseline Configuration / Development and Test The Deep Security solution supports satisfying this requirement through the Integrity
Environments Monitoring, which compares the current condition of a monitored object with an existing
The organization maintains a baseline configuration for information system development baseline. Integrity Monitoring monitors critical system objects such as files, folders, registry
and test environments that is managed separately from the operational baseline entries, processes, services, and listening ports and can assist in developing a systems
configuration. baseline configuration and notifying administrators of any modifications to it.
Supplemental Guidance:
Establishing separate baseline configurations for development, testing, and operational
environments helps protect information systems from unplanned/unexpected events
related to development and testing activities. Separate baseline configurations allow
organizations to apply the configuration management that is most appropriate for each type
of configuration. For example, management of operational configurations typically
emphasizes the need for stability, while management of development/test configurations
requires greater flexibility. Configurations in the test environment mirror the configurations
in the operational environment to the extent practicable so that the results of the testing are
representative of the proposed changes to the operational systems. This control
enhancement requires separate configurations but not necessarily separate physical
environments. Related controls: CM-4, SC-3, SC-7.
CM-6 Configuration Management / Configuration Settings
CM-6 Configuration Management / Configuration Settings P1 The Deep Security solution supports satisfying this requirement through the Integrity
The organization: LMH Monitoring functionality which alerts an administrator of a physical or virtualized
a) Establishes and documents configuration settings for information technology products
environment of modifications to critical security configuration objects. In addition the
CNSSI Deep Security solution has introduced within the virtualized environment hypervisor
employed within the information system using [Assignment: organization-defined FedRAMP
security configuration checklists] that reflect the most restrictive mode consistent with integrity monitoring utilizing Intel TPM/TXT technology to monitor whether the
operational requirements; hypervisor is compromised.
b) Implements the configuration settings; The Recommendation Scanning function that exists within Deep Security Manager
c) Identifies, documents, and approves any deviations from established configuration also supports compliance with this requirement, by creating default policies that can
settings for [Assignment: organization-defined information system components] based be automatically assigned to a new server when it comes online and allowing the
on [Assignment: organization-defined operational requirements]; and system to automatically assign security configuration to existing servers. The goal is
d) Monitors and controls changes to the configuration settings in accordance with to automate configuration of hosts and assign the security policies required to
organizational policies and procedures. protect that server/host.
Supplemental Guidance: As additional information - Deep Security can run Recommendation Scans on
Configuration settings are the set of parameters that can be changed in hardware, computers to identify known vulnerabilities. The operation scans the operating
software, or firmware components of the information system that affect the security posture system and installed applications. Based on what is detected, Deep Security will
and/or functionality of the system. Information technology products for which security- recommend security Rules that should be applied. During a Recommendation Scan,
related configuration settings can be defined include, for example, mainframe computers, Deep Security Agents scan:
servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), - the operating system,
workstations, input/output devices (e.g., scanners, copiers, and printers), network - installed applications,
components (e.g., firewalls, routers, gateways, voice and data switches, wireless access - the Windows registry,
points, network appliances, sensors), operating systems, middleware, and applications. - open ports,
Security-related parameters are those parameters impacting the security state of - the directory listing,
information systems including the parameters required to satisfy other security control - the file system,
requirements. Security-related parameters include, for example: (i) registry settings; (ii) - running processes and services, and
account, file, directory permission settings; and (iii) settings for functions, ports, protocols, - users.
services, and remote connections. Organizations establish organization-wide configuration For large deployments, Trend Micro recommends managing Recommendations at
settings and subsequently derive specific settings for information systems. The established the Policy level. That is, all computers that are to be scanned should already have a
settings become part of the systems configuration baseline. Common secure Policy assigned to them. This way, an organization can make all rule assignments
configurations (also referred to as security configuration checklists, lockdown and from a single source (the Policy) rather than having to manage individual rules on
hardening guides, security reference guides, security technical implementation guides) individual computers.
provide recognized, standardized, and established benchmarks that stipulate secure
configuration settings for specific information technology platforms/products and Recommendation Scans can be initiated manually or can be a Scheduled Task to
instructions for configuring those information system components to meet operational periodically run scans on specified computers.
requirements. Common secure configurations can be developed by a variety of
organizations including, for example, information technology product developers,
manufacturers, vendors, consortia, academia, industry, federal agencies, and other
organizations in the public and private sectors. Common secure configurations include the
United States Government Configuration Baseline (USGCB) which affects the
implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content
Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common
Configuration Enumeration) provide an effective method to uniquely identify, track, and
control configuration settings. OMB establishes federal policy on configuration
requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-
7, SI-4.
Document TMIC-004-N Version 2.0 September 2015 8
NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

CM-6 (1) Configuration Management / Configuration Settings / Automated Central P1 Deep Security supports this requirement through the Integrity Monitoring
Management / Application / Verification H functionality, which alerts an administrator of a physical or virtualized environment of
The organization employs automated mechanisms to centrally manage, apply, and verify CNSSI modifications to critical security configuration objects.
configuration settings for [Assignment: organization-defined information system FedRAMP Recommendations Scans, also support this requirement by allowing organizations to
components]. automate scanning of systems and patch levels against the latest Critical
Vulnerability and Exposure (CVE) database, and to automatically apply Deep
Supplemental Guidance: Related controls: CA-7, CM-4. Security rules/filters to detect/prevent exploitation of the identified vulnerabilities.
CP-2 Contingency Planning / Contingency Plan
CP-2 (6) Contingency Plan / Alternate Processing / Storage Site Deep Security supports satisfying this requirement, specifically in the virtual
The organization plans for the transfer of essential missions and business functions to environment, through the ability of Deep Security policies, rules and filters, which are
alternate processing and/or storage sites with little or no loss of operational continuity and linked with Virtual Machines as they are moved to alternate processing - storage
sustains that continuity through information system restoration to primary processing sites, this ensures the security remains intact after the VM move. The
and/or storage sites. Recommendation Scanning function that exists within Deep Security Manager also
supports compliance with this requirement, by creating default policies that can be
Supplemental Guidance: automatically assigned to a new server when it comes online and allowing the
Organizations may choose to carry out the contingency planning activities in this control system to automatically assign security configuration to existing servers. The goal is
enhancement as part of organizational business continuity planning including, for example, to automate configuration of hosts and assign the security policies(rules) required to
as part of business impact analyses. Primary processing and/or storage sites defined by protect that server/host .
organizations as part of contingency planning may change depending on the
circumstances associated with the contingency (e.g., backup sites may become primary
sites). Related control: PE-12.

IR-4 Incident Response / Incident Handling


IR-4 Incident Handling P1 Deep Security’s prime functions are to detect and where possible mitigate threats
The organization: LMH and disseminate threat/attack/incident data to other systems and core consider
a) Implements an incident handling capability for security incidents that includes
incident response as part of their definition, design, and development.
CNSSI
preparation, detection and analysis, containment, eradication, and recovery; FedRAMP Deep Security raises alerts when incidents occur that require special attention. Alerts
b) Coordinates incident handling activities with contingency planning activities; and can be raised due to security Events such as the detection of malware or an
c) Incorporates lessons learned from ongoing incident handling activities into incident abnormal restart on a protected computer, or they can be system events like the
response procedures, training, and testing/exercises, and implements the resulting Deep Security Manager running low on disk space. Deep Security can be configured
changes accordingly. to send email notifications when specific Alerts are raised.
Supplemental Guidance:
Organizations recognize that incident response capability is dependent on the capabilities
of organizational information systems and the mission/business processes being supported
by those systems. Therefore, organizations consider incident response as part of the
definition, design, and development of mission/business processes and information
systems. Incident-related information can be obtained from a variety of sources including,
for example, audit monitoring, network monitoring, physical access monitoring,
user/administrator reports, and reported supply chain events. Effective incident handling
capability includes coordination among many organizational entities including, for example,
mission/business owners, information system owners, authorizing officials, human
resources offices, physical and personnel security offices, legal departments, operations
personnel, procurement offices, and the risk executive (function). Related controls: AU-6,
CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7.
IR-4 (1) Incident Handling / Automated Incident Handling Processes P1 Deep Security Recommendation Scan supports this requirement by allowing
The organization employs automated mechanisms to support the incident handling MH organizations to automate scanning of systems and patch levels against the latest
process. CNSSI Critical Vulnerability and Exposure (CVE) database, to automatically apply Deep
Security rules/filters to detect/prevent exploitation of these vulnerabilities and to
Supplemental Guidance: FedRAMP produce audit logs and reports which can be used to support a continuous
Automated mechanisms supporting incident handling processes include, for example, monitoring program or audits.
online incident management systems.
Deep Security, Intrusion Detection and Prevention module supports incident handling
by automatically protecting computers from being exploited by attacks against known
and zero-day vulnerability attacks as well as against SQL injections attacks, cross-
site scripting attacks, and other web application vulnerabilities. It shields
vulnerabilities until code fixes can be completed and identifies malicious software
accessing the network and increases visibility into, or control over, applications
accessing the network. Intrusion Prevention prevents attacks by detecting malicious
instructions in network traffic and dropping relevant packets.

Document TMIC-004-N Version 2.0 September 2015 9


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

IR-4 (2) Incident Handling / Dynamic Reconfiguration Deep Security supports this requirement in its support of VMware's NSX by tagging
The organization includes dynamic reconfiguration of [Assignment: organization-defined infected virtual machines allowing them to be automatically quarantined.
information system components] as part of the incident response capability.
Supplemental Guidance:
Dynamic reconfiguration includes, for example, changes to router rules, access control lists,
intrusion detection/prevention system parameters, and filter rules for firewalls and
gateways. Organizations perform dynamic reconfiguration of information systems, for
example, to stop attacks, to misdirect attackers, and to isolate components of systems, thus
limiting the extent of the damage from breaches or compromises. Organizations include
time frames for achieving the reconfiguration of information systems in the definition of the
reconfiguration capability, considering the potential need for rapid response in order to
effectively address sophisticated cyber threats. Related controls: AC-2, AC-4, AC- 16, CM-
2, CM-3, CM-4.
IR-4 (9) Incident Handling / Dynamic Response Capability Deep Security Recommendation Scan supports this requirement by allowing
The organization employs [Assignment: organization-defined dynamic response organizations to automate scanning of systems and patch levels against the latest
capabilities] to effectively respond to security incidents. Critical Vulnerability and Exposure (CVE) database, to automatically apply Deep
Security rules/filters to detect/prevent exploitation of these vulnerabilities and to
Supplemental Guidance: produce audit logs and reports which can be used to support a continuous monitoring
This control enhancement addresses the deployment of replacement or new capabilities in program or audits.
a timely manner in response to security incidents (e.g., adversary actions during hostile
cyber attacks). This includes capabilities implemented at the mission/business process Deep Security supports this requirement in its support of VMware's NSX by tagging
level (e.g., activating alternative mission/business processes) and at the information system infected virtual machines allowing them to be automatically quarantined.
level. Related control: CP-10.
IR-5 Incident Response / Monitoring
IR-5 Incident Monitoring P1 Deep Security, Deep Security Manager supports this control through its ability to
The organization tracks and documents information system security incidents. LMH produce and distribute incident data and reports as required by an organization's
policies and by the Trend Micro Control Manager, which can track and distribute the
Supplemental Guidance: CNSSI reporting of security incidents detected by Deep Security.
Documenting information system security incidents includes, for example, maintaining
records about each incident, the status of the incident, and other pertinent information
necessary for forensics, evaluating incident details, trends, and handling. Incident
information can be obtained from a variety of sources including, for example, incident
reports, incident response teams, audit monitoring, network monitoring, physical access
monitoring, and user/administrator reports. Related controls: AU-6, IR-8, PE-6, SC-5, SC-7,
SI-3, SI-4, SI-7.
IR-5 (1) Incident Monitoring / Automated Tracking / Data Collection / Analysis P1 Within the Trend Micro services the Smart Protection Network uses a global network
The organization employs automated mechanisms to assist in the tracking of security H of threat intelligence sensors to continually update email, web, and file reputation
incidents and in the collection and analysis of incident information. CNSSI databases in the cloud, identifying and blocking threats in real time before they reach
the organization.
Supplemental Guidance:
Automated mechanisms for tracking security incidents and collecting/analyzing incident Deep Security, Deep Security Manager supports this control through its ability to
information include, for example, the Einstein network monitoring device and monitoring automatically produce and distribute incident data and reports as required by an
online Computer Incident Response Centers (CIRCs) or other electronic databases of organization's policies and by the Trend Micro Control Manager, which can track and
incidents. Related controls: AU-7, IR-4. distribute the reporting of security incidents detected by Deep Security.

IR-6 Incident Response / Reporting


IR-6 (1) Incident Reporting / Automated Reporting P1 Deep Security supports this control through its ability to automatically produce and
The organization employs automated mechanisms to assist in the reporting of security MH distribute alerts and reports as required by an organization's policies.
incidents. CNSSI
Supplemental Guidance: Related control: IR-7. FedRAMP
IR-6 (2) Incident Reporting / Vulnerabilities Related to Incidents An organization can leverage the capabilities of Deep Security to report on
The organization reports information system vulnerabilities associated with reported CNSSI discovered vulnerabilities associated with security incidents to an appointed person
security incidents to [Assignment: organization-defined personnel or roles]. or role within the organization.
Vulnerability reporting is generated within Deep Security Manager, along with alert
generations, and automated report creation and delivery. In addition, Deep Security
supports satisfying this requirement by providing, to an organization, updates to
vulnerability rules that shield known and reported vulnerabilities. Rules that shield
newly discovered or reported vulnerabilities are automatically delivered, often within
hours, and can be pushed-out to thousands of servers and end- user systems within
minutes, without the need for disruptive system restarts.
Document TMIC-004-N Version 2.0 September 2015 10
NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

RA-5 Risk Assessment / Vulnerability Scanning


RA-5 (1) Risk Assessment / Vulnerability Scanning / Update Tool Capability P1 Deep Security Recommendation Scan supports this requirement by allowing
The organization employs vulnerability scanning tools that include the capability to readily MH organizations to automate scanning of systems and patch levels against the latest
update the information system vulnerabilities to be scanned. Critical Vulnerability and Exposure (CVE) database, and to automatically update and
CNSSI apply Deep Security signatures, engines, patterns, and rules/filters to detect/prevent
Supplemental Guidance: FedRAMP exploitation of these vulnerabilities and to produce audit logs and reports which can
The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are be used to support a continuous monitoring program or audits.
discovered, announced, and scanning methods developed. This updating process helps to
ensure that potential vulnerabilities in the information system are identified and addressed
as quickly as possible. Related controls: SI-3, SI-7.
RA-5 (2) Risk Assessment / Vulnerability Scanning / Update by Frequency / Prior to New P1 Deep Security Recommendation Scan rules/filters can be manually or automatically
Scan / When Identified MH downloaded and applied as soon as they are made available. Trend Micro
The organization updates the information system vulnerabilities scanned [Selection (one or CNSSI participates in software vendor vulnerability programs in order to have Deep Security
more): [Assignment: organization-defined frequency]; prior to a new scan; when new signatures, engines, patterns, and rules/filters available as close to the
FedRAMP announcement of the vulnerability as possible.
vulnerabilities are identified and reported].
Supplemental Guidance: Related controls: SI-3, SI-5.
RA-5 (3) Risk Assessment / Vulnerability Scanning / Breadth / Depth of Coverage The Deep Security solution supports compliance with this requirement and can
The organization employs vulnerability scanning procedures that can identify the breadth FedRAMP provide the evidence through log inspection or audit records of the virtual or physical
and depth of coverage (i.e., information system components scanned and vulnerabilities servers scanned and report on the vulnerabilities checked.
checked).
RA-5 (4) Risk Assessment / Vulnerability Scanning / Discoverable Information P1 The Deep Security satisfies this requirement by the firewall module which will detect
The organization determines what information about the information system is H reconnaissance activities of intruders and provide an indication that such activity is
discoverable by adversaries and subsequently takes [Assignment: organization-defined CNSSI taking place to the systems administrator.
corrective actions].
Supplemental Guidance:
Discoverable information includes information that adversaries could obtain without directly
compromising or breaching the information system, for example, by collecting information
the system is exposing or by conducting extensive searches of the web. Corrective actions
can include, for example, notifying appropriate organizational personnel, removing
designated information, or changing the information system to make designated
information less relevant or attractive to adversaries. Related control: AU-13.
RA-5 (6) Risk Assessment / Vulnerability Scanning / Automated Trend Analyses The Deep Security solution supports and provides statistical and trending information
The organization employs automated mechanisms to compare the results of vulnerability on vulnerabilities at various levels, including raw network packet data, malware and
FedRAMP anti virus signature file updates and effectiveness, this information can be used to
scans over time to determine trends in information system vulnerabilities.
determine the efficiency of the mechanisms in place to counter threats.
Supplemental Guidance: Related controls: IR-4, IR-5, SI-4.
The Deep Security, Recommendation Scan, Policies and Rules can be updated to
reflect new software being installed on a computer, new operating system
vulnerabilities being discovered or because a previous vulnerability was corrected by
an operating system or software service pack. Because of the dynamic nature of the
security requirements on a computer, the Recommendation Scans can be run on a
regular/automated basis as a scheduled task, which will assess the current state of
the computer and compare it against the latest Deep Security protection module
updates to see if the current security Policy needs to be updated. In addition Deep
Security can be configured to automatically assign and unassign Rules after a
Recommendation Scan.
RA-5 (8) Risk Assessment / Vulnerability Scanning / Review Historic Audit Logs Deep Security supports compliance with this requirement by providing the audit and
The organization reviews historic audit logs to determine if a vulnerability identified in the FedRAMP log information on when vulnerabilities are identified. In addition, when a new
information system has been previously exploited. vulnerability is identified Deep Security provides updated rules, patterns and
signature files to detect and block against the newly discovered vulnerability
automatically.
RA-5 (10) Risk Assessment / Vulnerability Scanning / Correlate Scanning Information Deep Security provides a single pane of glass view on multiple suspicious activities,
The organization correlates the output from vulnerability scanning tools to determine the CNSSI through network packet inspection, log inspection, object integrity monitoring and
presence of multi- vulnerability/multi-hop attack vectors. audit records that could lead to a successful attack on the information system if
allowed to develop.

Document TMIC-004-N Version 2.0 September 2015 11


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

SC-7 System and Communications Protection / Boundary Protection


SC-7 System and Communications Protection / Boundary Protection P1 Deep Security functions as host-based boundary protection devices.
The information system: LMH Deep Security provides agentless and agent-based protection for physical, virtual, and
a) Monitors and controls communications at the external boundary of the system and at CNSSI cloud-based computers. Protection includes:
key internal boundaries within the system; - Anti-Malware,
b) Implements subnetworks for publicly accessible system components that are - Web Reputation,
[Selection: physically; logically] separated from internal organizational networks; and - Firewall,
c) Connects to external networks or information systems only through managed - Intrusion Detection and Prevention,
interfaces consisting of boundary protection devices arranged in accordance with an - Integrity Monitoring, and
organizational security architecture. - Log Inspection.
Supplemental Guidance: Deep Security firewall solution, provides subnetwork controls that architecturally separate
Managed interfaces include, for example, gateways, routers, firewalls, guards, network- the public front end systems from the internal networks.
based malicious code analysis and virtualization systems, or encrypted tunnels
implemented within a security architecture (e.g., routers protecting firewalls or application
gateways residing on protected subnetworks). Subnetworks that are physically or logically
separated from internal networks are referred to as demilitarized zones or DMZs.
Restricting or prohibiting interfaces within organizational information systems includes, for
example, restricting external web traffic to designated web servers within managed
interfaces and prohibiting external traffic that appears to be spoofing internal addresses.
Organizations consider the shared nature of commercial telecommunications services in
the implementation of security controls associated with the use of such services.
Commercial telecommunications services are commonly based on network components
and consolidated management systems shared by all attached commercial customers, and
may also include third party- provided access lines and other service elements. Such
transmission services may represent sources of increased risk despite contract security
provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP- 8, IR-4, RA-3, SC-5, SC-13.
SC-7 (5) System and Communications Protection / Boundary Protection / Deny by Default P1 The Deep Security satisfies this requirement through the host firewall rules which are
/ Allow by Exception MH implemented to deny all and allow only by explicit exception.
The information system at managed interfaces denies network communications traffic by CNSSI
default and allows network communications traffic by exception (i.e., deny all, permit by FedRAMP
exception).
Supplemental Guidance:
This control enhancement applies to both inbound and outbound network communications
traffic. A deny-all, permit-by-exception network communications traffic policy ensures that
only those connections which are essential and approved are allowed.
SC-7 (9) System and Communications Protection / Boundary Protection / Restrict Deep Security supports Application Control rules that can provide protection in regards to
Threatening Outgoing Communications Traffic CNSSI outbound traffic. Rules can be defined to detect allowed protocols over unexpected ports
The information system: which may be an indication of malware attempting to call home to a command and control
a) Detects and denies outgoing communications traffic posing a threat to external
server. The products also have the ability to detect and control unexpected protocol traffic on
information systems; and servers - say for example, you see FTP traffic originating from an Exchange server ...
b) Audits the identity of internal users associated with denied communications.
Supplemental Guidance:
Detecting outgoing communications traffic from internal actions that may pose threats to
external information systems is sometimes termed extrusion detection. Extrusion detection
at information system boundaries as part of managed interfaces includes the analysis of
incoming and outgoing communications traffic searching for indications of internal threats to
the security of external systems. Such threats include, for example, traffic indicative of
denial of service attacks and traffic containing malicious code. Related controls: AU-2, AU-
6, SC-38, SC-44, SI-3, SI-4.

Document TMIC-004-N Version 2.0 September 2015 12


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

SC-7 (11) System and Communications Protection / Boundary Protection / Restrict The Deep Security Firewall rules examine the control information of network packets, and
Incoming Communications Traffic CNSSI determine if a network connection should be allowed. Stateful Configuration filters analyze
The information system only allows incoming communications from [Assignment: each network packet in the context of traffic history, correctness of TCP and IP header
organization-defined authorized sources] routed to [Assignment: organization-defined values, and TCP connection state transitions, manages existing network sessions with great
authorized destinations]. efficiency.
Virtual machine isolation: Allows VM's to be isolated virtual environments, providing virtual
Supplemental Guidance: segmentation without the need to modify virtual switch configurations or network
This control enhancement provides determinations that source and destination address architecture.
pairs represent authorized/allowed communications. Such determinations can be based on
several factors including, for example, the presence of source/destination address pairs in Fine-grained filtering: Firewall rules filter traffic based on source and destination IP address,
lists of authorized/allowed communications, the absence of address pairs in lists of port, MAC address, etc. Different rules can be applied to different network interfaces. For
unauthorized/disallowed pairs, or meeting more general rules for authorized/allowed end-user systems, the firewall is location aware, and is able to limit interface use such that
source/destination pairs. Related control: AC-3. only a single interface can be used at one time.
Security Profiles provide a logical way of replicating security settings to physical or virtual
servers or machines that share similar security requirements.
SC-7 (12) System and Communications Protection / Boundary Protection / Host-Based The Deep Security solution provides host based boundary protection through the host
Protection CNSSI application stateful inspection firewall, through the host deep packet inspection, and through
The organization implements [Assignment: organization-defined host-based boundary FedRAMP web reputation services. This can be implemented at the server or workstation level in the
protection mechanisms] at [Assignment: organization-defined information system physical or virtual environments.
components].
Supplemental Guidance:
Host-based boundary protection mechanisms include, for example, host-based firewalls.
Information system components employing host-based boundary protection mechanisms
include, for example, servers, workstations, and mobile devices.
SC-7 (16) System and Communications Protection / Boundary Protection / Prevent The Deep Security solution through the functionality of "Reconnaissance Detection" can
Discovery of Components / Devices determine and advise if an external entity is attempting to discover specific system
The information system prevents discovery of specific system components composing a components or weaknesses associated with them.
managed interface. Smart rules provide broad protection, and low-level insight, for servers and end-user
systems. For operating systems and applications, the rules limit variations of elements of
Supplemental Guidance: traffic, limiting the ability of attackers to investigate possible attack vectors since many
This control enhancement protects network addresses of information system components attacks are based on exceeding expected characteristics. For servers and end-user
that are part of managed interfaces from discovery through common tools and techniques systems, smart rules also provide insight into application activity and unexpected traffic
used to identify devices on networks. Network addresses are not available for discovery (HTTP on an unexpected port, use of a web browser on a server, etc)
(e.g., network address not published or entered in domain name systems), requiring prior
knowledge for access. Another obfuscation technique is to periodically change network
addresses.
SC-7 (17) System and Communications Protection / Boundary Protection / Automated The Deep Packet Inspection module is available in both the Deep Security Agent and Deep
Enforcement of Protocol Formats Security Appliance for VMware ESX/ESXi.
The information system enforces adherence to protocol formats. Deep Packet Inspection provides an automated IDS/IPS capability, which protects operating
Supplemental Guidance: systems, commercial off-the-shelf applications, and custom web applications against attacks
Information system components that enforce protocol formats include, for example, deep such as SQL injection and cross-site scripting.
packet inspection firewalls and XML gateways. Such system components verify adherence Security updates that provide protection against newly discovered vulnerabilities are
to protocol formats/specifications (e.g., IEEE) at the application layer and identify significant automatically delivered to host machines.
vulnerabilities that cannot be detected by devices operating at the network or transport Detailed event records are produced, which provide valuable information, including the
layers. Related control: SC-4. source of the attack, the time, and what the potential intruder was attempting to exploit.
SC-7 (19) System and Communications Protection / Boundary Protection / Blocks The Deep Security Firewall Rules examine the control information of network packets, and
Communication From Non-Organizationally Configured Hosts determine if a network connection should be allowed. Stateful Configuration filters analyze
The information system blocks both inbound and outbound communications traffic between each network packet in the context of traffic history, correctness of TCP and IP header
[Assignment: organization-defined communication clients] that are independently values, and TCP connection state transitions, manages existing network sessions with great
efficiency.
configured by end users and external service providers.
Supplemental Guidance:
Communication clients independently configured by end users and external service
providers include, for example, instant messaging clients. Traffic blocking does not apply to
communication clients that are configured by organizations to perform authorized functions.

Document TMIC-004-N Version 2.0 September 2015 13


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

SC-7 (20) System and Communications Protection / Boundary Protection / Dynamic The Deep Security firewall as an EAL2 mechanism can be used to create the implied Trust
Isolation / Segregation Zone architectures in a physical and virtualized environment through the use of the Deep
The information system provides the capability to dynamically isolate/segregate Security Virtualized Appliance.
[Assignment: organization-defined information system components] from other Deep Security supports this requirement by its support of VMware's NSX, tagging infected
components of the system. virtual machines and allowing them to be automatically quarantined.
Supplemental Guidance:
The capability to dynamically isolate or segregate certain internal components of
organizational information systems is useful when it is necessary to partition or separate
certain components of dubious origin from those components possessing greater
trustworthiness. Component isolation reduces the attack surface of organizational
information systems. Isolation of selected information system components is also a means
of limiting the damage from successful cyber attacks when those attacks occur.

SC-32 System and Communications Protection / Information System Partitioning


SC-32 System and Communications Protection / Information System Partitioning P0 The Deep Security solution provides, through the firewall functionality, an ability to create
The organization partitions the information system into [Assignment: organization-defined Trust Zones in a physical or virtualized environment. The Deep Packet Inspection provides
information system components] residing in separate physical domains or environments flow control between the various machines either physical or virtualized in the different Trust
based on [Assignment: organization-defined circumstances for physical separation of Zones.
components].
Supplemental Guidance:
Information system partitioning is a part of a defense-in-depth protection strategy.
Organizations determine the degree of physical separation of system components from
physically distinct components in separate racks in the same room, to components in
separate rooms for the more critical components, to more significant geographical
separation of the most critical components. Security categorization can guide the selection
of appropriate candidates for domain partitioning. Managed interfaces restrict or prohibit
network access and information flow among partitioned information system components.
Related controls: AC-4, SA-8, SC-2, SC-3, SC-7.
SC-36 System and Communications Protection / Distributed Processing and Storage
SC-36 System and Communications Protection / Distributed Processing and Storage P0 When an organization distributes the processing and storage across multiple physical
The organization distributes [Assignment: organization-defined processing and storage] locations a significant issue is to have the processing and storage security synchronized
across multiple physical locations. with the machines in the different locations. To this end, Deep Security through the
promulgation of security policies, and firewall rules in the virtualized environment, the Deep
Supplemental Guidance: Security Virtual Appliance can ensure that machines located in different locations have the
Distributing processing and storage across multiple physical locations provides some correct security policies and safeguards implemented for their Trust Zone level.
degree of redundancy or overlap for organizations, and therefore increases the work factor
of adversaries to adversely impact organizational operations, assets, and individuals. This
control does not assume a single primary processing or storage location, and thus allows
for parallel processing and storage. Related controls: CP-6, CP-7.

Document TMIC-004-N Version 2.0 September 2015 14


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

SI-2 System and Information Integrity / Flaw Remediation


SI-2 System and Information Integrity / Flaw Remediation P1 Deep Security, Recommendation Scan supports this requirement by allowing organizations
The organization: LMH to automate scanning of systems and patch levels against the latest Critical Vulnerability
a) Identifies, reports, and corrects information system flaws;
and Exposure (CVE) database, to automatically apply Deep Security rules/filters to
CNSSI detect/prevent exploitation of these vulnerabilities and to produce audit logs and reports
b) Tests software and firmware updates related to flaw remediation for effectiveness and FedRAMP
potential side effects before installation; which can be used to support a continuous monitoring program or audits.
c) Installs security-relevant software and firmware updates within [Assignment:
organization-defined time period] of the release of the updates; and
d) Incorporates flaw remediation into the organizational configuration management
process.
Supplemental Guidance:
Organizations identify information systems affected by announced software flaws including
potential vulnerabilities resulting from those flaws, and report this information to designated
organizational personnel with information security responsibilities. Security-relevant
software updates include, for example, patches, service packs, hot fixes, and anti-virus
signatures. Organizations also address flaws discovered during security assessments,
continuous monitoring, incident response activities, and system error handling.
Organizations take advantage of available resources such as the Common Weakness
Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in
remediating flaws discovered in organizational information systems. By incorporating flaw
remediation into ongoing configuration management processes, required/anticipated
remediation actions can be tracked and verified. Flaw remediation actions that can be
tracked and verified include, for example, determining whether organizations follow US-
CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time
periods for updating security-relevant software and firmware may vary based on a variety of
factors including, for example, the security category of the information system or the
criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).
Some types of flaw remediation may require more testing than other types. Organizations
determine the degree and type of testing needed for the specific type of flaw remediation
activity under consideration and also the types of changes that are to be configuration-
managed. In some situations, organizations may determine that the testing of software
and/or firmware updates is not necessary or practical, for example, when implementing
simple anti-virus signature updates. Organizations may also consider in testing decisions,
whether security-relevant software or firmware updates are obtained from authorized
sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM- 5,
CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11.

Document TMIC-004-N Version 2.0 September 2015 15


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

SI-3 System and Information Integrity / Malicious Code Protection


SI-3 System and Information Integrity / Malicious Code Protection P1 Deep Security Virtual Appliance (DSVA) and Deep Security Agent provides, the
The organization: LMH introspection security safeguard for Anti-Malware - the Anti-Malware can be configured to
a) Employs malicious code protection mechanisms at information system entry and exit
provide:
CNSSI - The applicable real-time policies that apply during different periods of the day/week;
points to detect and eradicate malicious code; FedRAMP
b) Updates malicious code protection mechanisms whenever new releases are available
- The policy for full scheduled or manual scans;
in accordance with organizational configuration management policy and procedures; - Exclusions of file types and directories; and
- Real-time behavior (scanning reads and/or writes) and applicable actions.
c) Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined Upon detection of a file-based virus, Deep Security performs the actions specified by
frequency] and real-time scans of files from external sources at [Selection (one or the authorized administrator. Actions are administratively configurable on a virtual or
more); endpoint; network entry/exit points] as the files are downloaded, opened, or physical machine through the DSA or on a DSVA basis and consist of:
executed in accordance with organizational security policy; and - Clean the virus from the file,
2. [Selection (one or more): block malicious code; quarantine malicious code; send - Quarantine the file, and
alert to administrator; [Assignment: organization-defined action]] in response to - Delete the file.
malicious code detection; and The Deep Security, Intrusion Prevention Module is both a host based Intrusion
d) Addresses the receipt of false positives during malicious code detection and Detections System (IDS) and an Intrusion Prevention System (IPS) which protects host
eradication and the resulting potential impact on the availability of the information computers from being exploited by attacks against known and zero-day vulnerability
system. attacks as well as against SQL injections attacks, cross-site scripting attacks, and other
Supplemental Guidance: web application vulnerabilities. Shields vulnerabilities until code fixes can be completed. It
Information system entry and exit points include, for example, firewalls, electronic mail identifies malicious software accessing the network and increases visibility into, or control
servers, web servers, proxy servers, remote-access servers, workstations, notebook over, applications accessing the network. Intrusion Prevention prevents attacks by
computers, and mobile devices. Malicious code includes, for example, viruses, worms, detecting malicious instructions in network traffic and dropping relevant packets.
Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., Deep Security is able to collect an audit event from a computer indicating detection of a
UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files virus. The event identifies the computer originating the audit event, the virus that was
using steganography. Malicious code can be transported by different means including, for detected and the action taken by the Deep Security. Deep Security sends an alarm to the
example, web accesses, electronic mail, electronic mail attachments, and portable storage authorized administrator and records the attempt as a system data record.
devices. Malicious code insertions occur through the exploitation of information system
vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus Deep Security can apply NSX Security Tags to protected VMs upon detecting a malware
signature definitions and reputation-based technologies. A variety of technologies and threat.
methods exist to limit or eliminate the effects of malicious code. Pervasive configuration Further support for compliance with this requirement is achieved through the Trend Micro
management and comprehensive software integrity controls may be effective in preventing Smart Protection Network, which uses a global network of threat intelligence sensors to
execution of unauthorized code. In addition to commercial off-the-shelf software, malicious continually update email, web, and file reputation databases in the cloud, identifying and
code may also be present in custom-built software. This could include, for example, logic blocking threats in real time before they reach the organization requiring the protection
bombs, back doors, and other types of cyber-attacks that could affect organizational
missions/business functions. Traditional malicious code protection mechanisms cannot
always detect such code. In these situations, organizations rely instead on other
safeguards including, for example, secure coding practices, configuration management and
control, trusted procurement processes, and monitoring practices to help ensure that
software does not perform functions other than the functions intended. Organizations may
determine that in response to the detection of malicious code, different actions may be
warranted. For example, organizations can define actions in response to malicious code
detection during periodic scans, actions in response to detection of malicious downloads,
and/or actions in response to detection of maliciousness when attempting to open
or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26,
SC-44, SI-2, SI-4, SI-7.
SI-3 (1) System and Information Integrity / Malicious Code Protection / Central P1 The Deep Security solution centrally manages the malicious code protection
Management MH mechanisms either the anti-virus or the deep packet inspection through the Deep
The organization centrally manages malicious code protection mechanisms. CNSSI Security Manager. Deep Security employs automatic update mechanisms to
signatures, patterns, and rules. The Deep Security Manager, which provides
Supplemental Guidance: FedRAMP centralized active updates, Deep Packet Inspection rules and filters, can also be
Central management is the organization-wide management and implementation of integrated in the VMware environment with the vCenter Server providing a systems
malicious code protection mechanisms. Central management includes planning, administrator with a single view point of anti-virus and malicious code activity.
implementing, assessing, authorizing, and monitoring the organization-defined, centrally
managed flaw malicious code protection security controls. Related controls: AU-2, SI-8.

Document TMIC-004-N Version 2.0 September 2015 16


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

SI-3 (2) System and Information Integrity / Malicious Code Protection / Automatic Updates P1 Deep Security performs real-time, scheduled, and on-demand scans for file-based viruses
The information system automatically updates malicious code protection mechanisms. MH based upon known signatures and to automatically update and apply Deep Security
signatures, engines, patterns, and rules/filters to detect/prevent exploitation of these
Supplemental Guidance: CNSSI vulnerabilities and to produce reports which can be used to support continuous
Malicious code protection mechanisms include, for example, signature definitions. Due to FedRAMP monitoring.
information system integrity and availability concerns, organizations give careful
consideration to the methodology used to carry out automatic updates. Related control: SI- TrendLabs' carries out all virus research and case analysis for Trend Micro and its
8. customers. It designs and tests virus pattern files and refines the scan engine to keep
Trend Micro technology up to date and effective against the latest threats. During virus
outbreaks, TrendLabs implements strict "Red Alert" escalation procedures to notify users
and produce cures as quickly as possible. Trend Micro's virus doctors usually develop an
initial "fix" for a major new virus in 45 minutes or less, which can be distributed through the
active updates mechanism. TrendLabs also educates users about security threats and
promotes safe computing by compiling virus definitions and other useful information on the
company's web site.
SI-3 (4) System and Information Integrity / Malicious Code Protection / Updates Only by The Deep Security Manager controls all updates to the Deep Security system, which
Privileged Users control anti virus or malicious code intrusion detection and prevention mechanism. Only
The information system updates malicious code protection mechanisms only when directed users with escalated privileges can access the Deep Security Manager.
by a privileged user.
Supplemental Guidance:
This control enhancement may be appropriate for situations where for reasons of security
or operational continuity, updates are only applied when selected/approved by designated
organizational personnel. Related controls: AC-6, CM-5.
SI-3 (7) System and Information Integrity / Malicious Code Protection / Nonsignature- The Deep Security solution implements within the anti virus and deep packet
Based Detection FedRAMP inspection functionality heuristic techniques to compliment the signature based
The information system implements nonsignature-based malicious code detection techniques more commonly used.
mechanisms.
Supplemental Guidance:
Nonsignature-based detection mechanisms include, for example, the use of heuristics to
detect, analyze, and describe the characteristics or behavior of malicious code and to
provide safeguards against malicious code for which signatures do not yet exist or for
which existing signatures may not be effective. This includes polymorphic malicious code
(i.e., code that changes signatures when it replicates). This control enhancement does not
preclude the use of signature-based detection mechanisms.
SI-3 (8) System and Information Integrity / Malicious Code Protection / Detect Deep Security can prevent the execution of malicious commands, file or actions.
Unauthorized Commands The Deep Security solution implements deep packet inspection functionality to
The information system detects [Assignment: organization-defined unauthorized operating determine when suspect commands are being received by the targeted physical or
system commands] through the kernel application programming interface at [Assignment: virtual machine. In the event that a suspicious activity or series of commands are
issued an alert is sent to the Deep Security Manager or the SEIM system to inform
organization-defined information system hardware components] and [Selection (one or the systems administrator of the security event taking place. Further, the
more): issues a warning; audits the command execution; prevents the execution of the implementation of the Deep Security Integrity Monitoring supports satisfying this
command]. requirement through ensuring that configuration files and specific commands have
Supplemental Guidance: not been modified prior to execution.
This control enhancement can also be applied to critical interfaces other than kernel-based
interfaces, including for example, interfaces with virtual machines and privileged
applications. Unauthorized operating system commands include, for example, commands
for kernel functions from information system processes that are not trusted to initiate such
commands, or commands for kernel functions that are suspicious even though commands
of that type are reasonable for processes to initiate.
Organizations can define the malicious commands to be detected by a combination of
command types, command classes, or specific instances of commands. Organizations can
define hardware components by specific component, component type, location in the
network, or combination therein. Organizations may select different actions for different
types/classes/specific instances of potentially malicious commands. Related control: AU-6.

Document TMIC-004-N Version 2.0 September 2015 17


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

SI-3 (10) System and Information Integrity / Malicious Code Protection / Malicious Code Deep Security supports satisfying this requirement through real-time, scheduled,
Analysis CNSSI and on-demand scans for file-based viruses and malware based upon known
The organization: signatures. Deep Security performs scheduled scans at the time and frequency
a) Employs [Assignment: organization-defined tools and techniques] to analyze the
configured by the authorized administrator. This functionality is supported by the
characteristics and behavior of malicious code; and Trend Micro Smart Protection Network for malware analysis, which provides a
response to the continuous emergence of new threats. New threats are created at a
b) Incorporates the results from malicious code analysis into organizational incident
response and flaw remediation processes. rate of 1.5 every second, historically methods required virus signature files, which
would then have to be delivered to the premises equipment. This caused network
Supplemental Guidance: loads, memory usage, and system loads to gradually increase daily.
The application of selected malicious code analysis tools and techniques provides The Trend Micro Smart Protection Network works by storing the information
organizations with a more in-depth understanding of adversary tradecraft (i.e., tactics, required for security countermeasures in a cloud database rather than on individual
techniques, and procedures) and the functionality and purpose of specific instances of computers and Trend Micro then carries out updates and management via the
malicious code. Understanding the characteristics of malicious code facilitates more cloud. Therefore, a long-term reduction in work and system loads produced by
effective organizational responses to current and future threats. delivering virus signature files is eliminated while simultaneously providing greater
Organizations can conduct malicious code analyses by using reverse engineering security countermeasures.
techniques or by monitoring the behavior of executing code.
The Trend Micro Smart Protection Network uses a global network of threat
intelligence sensors to continually update email, web, and file reputation databases
in the cloud, identifying and blocking threats in real time before they reach the
organization requiring the protection.

Document TMIC-004-N Version 2.0 September 2015 18


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

SI-4 System and Information Integrity / Information System Monitoring


SI-4 System and Information Integrity / Information System Monitoring P1 Deep Security supports and satisfies this requirement through the combined
The organization: LMH functionality of Deep Packet Inspection, Firewall, Anti-Virus, Integrity Monitoring, and
a) Monitors the information system to detect:
Log Inspection. The ability to respond quickly to new or emerging threats and provide
CNSSI corrections to vulnerabilities is supported by the Trend Micro Smart Protection
1. Attacks and indicators of potential attacks in accordance with [Assignment: FedRAMP
organization-defined monitoring objectives]; and Network.
2. Unauthorized local, network, and remote connections; Deep Packet Inspection (DPI) provides an IDS/IPS capability, which protects
b) Identifies unauthorized use of the information system through [Assignment: operating systems, commercial off-the-shelf applications, and custom web
organization-defined techniques and methods]; applications against attacks such as SQL injection and cross-site scripting. Security
c) Deploys monitoring devices: (i) strategically within the information system to collect updates that provide protection against newly discovered vulnerabilities are
organization- determined essential information; and (ii) at ad hoc locations within the automatically delivered to host machines. Detailed event records are produced, which
system to track specific types of transactions of interest to the organization; provide valuable information, including the source of the attack, the time, and what
d) Protects information obtained from intrusion-monitoring tools from unauthorized the potential intruder was attempting to exploit. The Deep Packet Inspection module
access, modification, and deletion; is available in both the Deep Security Agent and Deep Security Virtual Appliance for
e) Heightens the level of information system monitoring activity whenever there is an VMware ESX/ESXi.
indication of increased risk to organizational operations and assets, individuals, other The Firewall module is enterprise-grade, bi-directional, and stateful. It is used to limit
organizations, or communication by source and destination port, IP, MAC addresses, and is protocol-
f) the Nation based on law enforcement information, intelligence information, or other aware. By limiting traffic, the attack surface of systems is reduced, and the risk of
credible sources of information; unauthorized access to the system is also reduced. Reconnaissance detection is
g) Obtains legal opinion with regard to information system monitoring activities in supported by the ability to detect reconnaissance activities such as port scans. The
accordance with applicable federal laws, Executive Orders, directives, policies, or stateful firewall is available in both the Agent and Appliance for VMware ESX/ESXi.
regulations; and Anti-Virus, upon detection of a file-based virus, Deep Security performs the actions
h) Provides [Assignment: organization-defined information system monitoring information] specified by the authorized systems or Deep Security Administrator. Actions are
to [Assignment: organization-defined personnel or roles] [Selection (one or more): as administratively configurable on a Virtual Machine through the DSA or on a DSVA
needed; [Assignment: organization-defined frequency]]. basis and consist of:
Supplemental Guidance: - Clean the virus from the file,
Information system monitoring includes external and internal monitoring. External - Quarantine the file, and
monitoring includes the observation of events occurring at the information system boundary - Delete the file.
(i.e., part of perimeter defense and boundary protection). Internal monitoring includes the The Anti-Virus module performs real-time, scheduled, and on-demand scans for file-
observation of events occurring within the information system. Organizations can monitor based viruses based upon known signatures, and carries out scheduled scans at the
information systems, for example, by observing audit activities in real time or by observing time and frequency configured by the authorized administrator, in the physical or in
other system aspects such as access patterns, characteristics of access, and other actions. the virtualized environment at the hypervisor level.
The monitoring objectives may guide determination of the events. Information system
monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion Integrity Monitoring monitors critical system objects such as files, folders, registry
detection systems, intrusion prevention systems, malicious code protection software, entries, processes, services, and listening ports. An integrity monitoring object
scanning tools, audit record monitoring software, network monitoring software). Strategic baseline consists of a combination of the following object attributes; Created, Last
locations for monitoring devices include, for example, selected perimeter locations and near Modified, Last Accessed, Permissions, Owner, Group, Size, Hash
server farms supporting critical applications, with such devices typically being employed at (SHA1,SHA256,MD5), Flags, SymLinkPath, Inode Number, Device Number, Blocks
the managed interfaces associated with controls SC-7 and AC-17. Einstein network Allocated.
monitoring devices from the Department of Homeland Security can also be included as
monitoring devices. The granularity of monitoring information collected is based on
organizational monitoring objectives and the capability of information systems to support
such objectives. Specific types of transactions of interest include, for example, Hyper Text
Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system
monitoring is an integral part of organizational continuous monitoring and incident response
programs. Output from system monitoring serves as input to continuous monitoring and
incident response programs. A network connection is any connection with a device that
communicates through a network (e.g., local area network, Internet). A remote connection
is any connection with a device communicating through an external network (e.g., the
Internet). Local, network, and remote connections can be either wired or wireless. Related
controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-
5, SC-7, SC-26, SC-35, SI-3, SI-7.
SI-4 (2) System and Information Integrity / Information System Monitoring / Automated P1 Deep Security provides real time Integrity Monitoring to monitor entity changes and
Tools for Real- Time Analysis MH raise Integrity Monitoring events when changes are detected. Events are forwarded in
The organization employs automated tools to support near real-time analysis of events. real time via syslog to the SIEM or when the next heartbeat communication
CNSSI (configurable) to the Deep Security Manager occurs.
Supplemental Guidance: FedRAMP
Automated tools include, for example, host-based, network-based, transport-based, or Deep Security, Log Inspection module monitors specified log files in real time and
storage-based event monitoring tools or Security Information and Event Management reacts to changes to the files as they occur.
(SIEM) technologies that provide real time analysis of alerts and/or notifications generated
by organizational information systems.

Document TMIC-004-N Version 2.0 September 2015 19


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

SI-4 (3) System and Information Integrity / Information System Monitoring / Automated Deep Security, Log Inspection module monitors specified log files in real time and
Tool Integration reacts to changes to the files as they occur.
The organization employs automated tools to integrate intrusion detection tools into access Deep Security, Intrusion Prevention automatically delivers rules that shield newly
control and flow control mechanisms for rapid response to attacks by enabling discovered vulnerabilities within hours, and can be pushed out to thousands of
reconfiguration of these mechanisms in support of attack isolation and elimination. servers in minutes, without a system reboot.
SI-4 (4) System and Information Integrity / Information System Monitoring /Inbound and P1 The Deep Security deep packet inspection engine intelligently examines the content
Outbound Communications Traffic MH of network traffic entering and leaving hosts. The traffic is inspected for protocol
The information system monitors inbound and outbound communications traffic CNSSI deviations, content that signals an attack, or policy violations. Intrusion Prevention
[Assignment: organization-defined frequency] for unusual or unauthorized activities or protects operating systems, commercial off-the-shelf applications, and custom web
FedRAMP applications against attacks such as SQL injection and cross-site scripting. Detailed
conditions. events provide valuable information, including the source of the attack, the time, and
Supplemental Guidance: what the potential intruder was attempting to exploit.
Unusual/unauthorized activities or conditions related to information system inbound and
outbound communications traffic include, for example, internal traffic that indicates the
presence of malicious code within organizational information systems or propagating
among system components, the unauthorized exporting of information, or signaling to
external information systems. Evidence of malicious code is used to identify potentially
compromised information systems or information system components.
SI-4 (5) System and Information Integrity / Information System Monitoring / System - P1 Deep Security supports this control through its ability to automatically produce and
Generated Alerts MH distribute alerts and reports as required by an organization's policies. Deep Security
The information system alerts [Assignment: organization-defined personnel or roles] when CNSSI Alerts are raised when situations occur that require special attention. Alerts can be
the following indications of compromise or potential compromise occur: [Assignment: raised due to security Events such as the detection of malware or an abnormal restart
FedRAMP on a protected computer, or they can be system events like the Deep Security
organization- defined compromise indicators]. Manager running low on disk space. Deep Security can be configured to send email
Supplemental Guidance: notifications when specific Alerts are raised.
Alerts may be generated from a variety of sources, including, for example, audit records or
inputs from malicious code protection mechanisms, intrusion detection or prevention
mechanisms, or boundary protection devices such as firewalls, gateways, and routers.
Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by
text messaging. Organizational personnel on the notification list can include, for example,
system administrators, mission/business owners, system owners, or information system
security officers. Related controls: AU-5, PE-6.

Document TMIC-004-N Version 2.0 September 2015 20


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

SI-4 (7) System and Information Integrity / Information System Monitoring / Automated Deep Security supports these controls by:
Response to Suspicious Events - Providing notifications and use, when in the InLine mode, the Detect Mode or Prevent
The information system notifies [Assignment: organization-defined incident response Mode. In Detect Mode, traffic that would normally be dropped will generate events but
personnel (identified by name and/or by role)] of detected suspicious events and takes will be allowed to pass. In the Prevent Mode, Intrusion Prevention rules are applied to
[Assignment: organization-defined least-disruptive actions to terminate suspicious events] traffic and related log events are generated;
- Generating via the Deep Security Agent and the Deep Security Manager; diagnostic
Supplemental Guidance: packages to support the testing of intrusion monitoring tools; and
Least-disruptive actions may include, for example, initiating requests for human responses. - Using Log Inspection to forwards suspicious events to a SIEM system or centralized
logging server for correlation, reporting and archiving.
SI-4 (9) System and Information Integrity / Information System Monitoring / Testing of
Monitoring Tools
The organization tests intrusion-monitoring tools [Assignment: organization-defined
frequency].
Supplemental Guidance:
Testing intrusion-monitoring tools is necessary to ensure that the tools are operating
correctly and continue to meet the monitoring objectives of organizations. The frequency of
testing depends on the types of tools used by organizations and methods of deployment.
Related control: CP-9.

SI-4 (11) System and Information Integrity / Information System Monitoring / Analyze
Communications Traffic Anomalies CNSSI
The organization analyzes outbound communications traffic at the external boundary of the
information system and selected [Assignment: organization-defined interior points within the
system (e.g., subnetworks, subsystems)] to discover anomalies.
Supplemental Guidance:
Anomalies within organizational information systems include, for example, large file
transfers, long- time persistent connections, unusual protocols and ports in use, and
attempted communications with suspected malicious external addresses.

SI-4 (12) System and Information Integrity / Information System Monitoring / Automated
Alerts CNSSI
The organization employs automated mechanisms to alert security personnel of the
following inappropriate or unusual activities with security implications: [Assignment:
organization- defined activities that trigger alerts].
Supplemental Guidance:
This control enhancement focuses on the security alerts generated by organizations and
transmitted using automated means. In contrast to the alerts generated by information
systems in SI-4 (5), which tend to focus on information sources internal to the systems
(e.g., audit records), the sources of information for this enhancement can include other
entities as well (e.g., suspicious activity reports, reports on potential insider threats).
Related controls: AC-18, IA-3.
SI-4 (13) System and Information Integrity / Information System Monitoring / Analyze Deep Security, Intrusion Prevention is a high-performance deep packet inspection
Traffic / Event Patterns engine, which intelligently examines the content of network traffic entering and
The organization: leaving hosts. The traffic is inspected for protocol deviations, content that signals an
a) Analyzes communications traffic/event patterns for the information system;
attack, or policy violations. Intrusion Prevention protects operating systems,
commercial off-the-shelf applications, and custom web applications against attacks
b) Develops profiles representing common traffic patterns and/or events; and
such as SQL injection and cross-site scripting. Detailed events provide valuable
c) Uses the traffic/event profiles in tuning system-monitoring devices to reduce the
information, including the source of the attack, the time, and what the potential
number of false positives and the number of false negatives. intruder was attempting to exploit.
Deep Security, Web Reputation module implements security levels, which determine
whether Deep Security will allow or block access to a URL. For example, if a security
level is set to Low, Deep Security will only block URLs that are known to be Web
threats. As the security level is set higher, the Web threat detection rate improves but
the possibility of false positives also increases.
Deep Security, Log Inspection module monitors specified log files in real time and
reacts to changes to the files as they occur.

Document TMIC-004-N Version 2.0 September 2015 21


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

SI-4 (15) System and Information Integrity / Information System Monitoring / Wireless to Deep Security Firewall rules for wireless laptops partially support compliance to this
Wireline Communications CNSSI requirement. With many laptops now capable of connecting to both the wired and
The organization employs an intrusion detection system to monitor wireless wireless networks, users need to be aware of the problems that can result from this
communications traffic as the traffic passes from wireless to wireline networks. scenario. The common problem is a "network bridge" configured between the wired
and wireless network. There is a risk of forwarding the internal traffic externally and
Supplemental Guidance: Related control: AC-18. potentially expose internal hosts to external attacks. Deep Security allows
administrators to configure a set of firewall rules for these types of users to prevent
them from creating a network bridge.
SI-4 (23) System and Information Integrity / Information System Monitoring / Host-Based Deep Security is a host based protection solution, in the physical and virtualized
Devices CNSSI environments, providing complete information system monitoring through the
The organization implements [Assignment: organization-defined host-based monitoring FedRAMP functionality associated with DPI, Firewall, Anti-Virus, Integrity Monitoring, and Log
mechanisms] at [Assignment: organization-defined information system components]. Inspection, as described in SI-4
Supplemental Guidance:
Information system components where host-based monitoring can be implemented include,
for example, servers, workstations, and mobile devices. Organizations consider employing
host-based monitoring mechanisms from multiple information technology product
developers.
SI-4 (24) System and Information Integrity / Information System Monitoring / Indicators of Deep Security through the Integrity Monitoring capability detects and reports
Compromise malicious and unexpected changes to files and systems registry in real time.
The information system discovers, collects, distributes, and uses indicators of compromise. Provides administrators with the ability to track both authorized and unauthorized
Supplemental Guidance: changes (IOC) made to the instance. The ability to detect unauthorized changes is a
Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on critical component as it provides the visibility into changes that could indicate the
organizational information systems (at the host or network level). IOCs provide compromise of an instance.
organizations with valuable information on objects or information systems that have been
compromised. IOCs for the discovery of compromised hosts can include for example, the
creation of registry key values. IOCs for network traffic include, for example, Universal
Resource Locator (URL) or protocol elements that indicate malware command and control
servers. The rapid distribution and adoption of IOCs can improve information security by
reducing the time that information systems and organizations are vulnerable to the same
exploit or attack.

Document TMIC-004-N Version 2.0 September 2015 22


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

SI-5 System and Information Integrity / Security Alerts, Advisories and Directives
SI-5 System and Information Integrity / Security Alerts, Advisories, and Directives P1 Deep Security can assist in supporting this control by providing security alerts to the
The organization: LMH organization and security alert data can be exported to syslog servers. The
a) Receives information system security alerts, advisories, and directives from
frequency of alerts is configurable.
CNSSI
[Assignment: organization-defined external organizations] on an ongoing basis;
b) Generates internal security alerts, advisories, and directives as deemed necessary;
c) Disseminates security alerts, advisories, and directives to: [Selection (one or more):
[Assignment: organization-defined personnel or roles]; [Assignment: organization-
defined elements within the organization]; [Assignment: organization-defined external
organizations]]; and
d) Implements security directives in accordance with established time frames, or notifies
the issuing organization of the degree of noncompliance.
Supplemental Guidance:
The United States Computer Emergency Readiness Team (US-CERT) generates security
alerts and advisories to maintain situational awareness across the federal government.
Security directives are issued by OMB or other designated organizations with the
responsibility and authority to issue such directives. Compliance to security directives is
essential due to the critical nature of many of these directives and the potential immediate
adverse effects on organizational operations and assets, individuals, other organizations,
and the Nation should the directives not be implemented in a timely manner. External
organizations include, for example, external mission/business partners, supply chain
partners, external service providers, and other peer/supporting organizations. Related
control: SI-2.

SI-5 (1) System and Information Integrity / Security Alerts, Advisories, and Directives /
Automated Alerts and Advisories P1
The organization employs automated mechanisms to make security alert and advisory H
information available throughout the organization. CNSSI
Supplemental Guidance:
The significant number of changes to organizational information systems and the
environments in which those systems operate requires the dissemination of security-
related information to a variety of organizational entities that have a direct interest in the
success of organizational missions and business functions. Based on the information
provided by the security alerts and advisories, changes may be required at one or more of
the three tiers related to the management of information security risk including the
governance level, mission/business process/enterprise architecture level, and the
information system level.

Document TMIC-004-N Version 2.0 September 2015 23


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

SI-7 System and Information Integrity / Software, Firmware and Information Integrity
SI-7 System and Information Integrity / Software, Firmware, and Information Integrity P1 The Deep Security solution supports the integrity verification of software and
The organization employs integrity verification tools to detect unauthorized changes to MH information through the Integrity Monitoring functionality. Integrity Monitoring monitors
[Assignment: organization-defined software, firmware, and information]. critical system objects such as files, folders, registry entries, processes, services, and
CNSSI listening ports and will detect any changes that happen to critical system objects.
Supplemental Guidance: FedRAMP Integrity Monitoring works by comparing the current condition of a monitored-object
Unauthorized changes to software, firmware, and information can occur due to errors or with an existing baseline. When an integrity event occurs with a rule that has the alert
malicious activity (e.g., tampering). Software includes, for example, operating systems feature enabled, it will generate an alert to the Deep Security administrator. Baselines
(with key internal components such as kernels, drivers), middleware, and applications. are created when the integrity rule is assigned. The baseline snapshot is stored in the
Firmware includes, for example, the Basic Input Output System (BIOS). Information DSA or the DSVA, in the virtualized environment, as a SQLLite3 DB file using hashes,
includes metadata such as security attributes associated with information. State-of-the- which is uploaded to the DSM. Baselines consist of a combination of the following
practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, object attributes; Created, Last Modified, Last Accessed, Permissions, Owner, Group,
cryptographic hashes) and associated tools can automatically monitor the integrity of Size, Hash (SHA1,SHA256,MD5), Flags, SymLinkPath, Inode Number, Device
information systems and hosted applications. Related controls: SA-12, SC-8, SC-13, SI-3. Number, Blocks Allocated.
Triggers are used to compare the monitored system object and it's baseline. The
SI-7 (1) System and Information Integrity / Software, Firmware, and Information Integrity P1 triggers can be Manual; Real-time On Change; and Pseudo real-time. The Manual or
/ Integrity Checks On demand trigger is an administrator initiated comparison triggered from the DSM
MH
The information system performs an integrity check of [Assignment: organization-defined console. The On-Change trigger uses the ReadDirectoryChanges function in the
CNSSI Windows API to alert an administrator that a modification to a security critical object
software, firmware, and information] [Selection (one or more): at startup; at [Assignment:
organization- defined transitional states or security-relevant events]; [Assignment: FedRAMP being monitored has taken place. The Pseudo-real time change is carried out by
organization-defined frequency]]. constant scans of the host machine for changes to the security critical objects being
monitored. An algorithm is used to determine the appropriate scanning interval based
Supplemental Guidance: on how long it takes to scan all systems areas. This prevents scans overwhelming the
Security-relevant events include, for example, the identification of a new threat to which host machine.
organizational information systems are susceptible, and the installation of new hardware,
software, or firmware. Rules: Administrators can use built-in templates to monitor files, directories, and
Transitional states include, for example, system startup, restart, shutdown, and abort. Registry entries. Custom rules can be written to cover: Listening ports, Processes and
Services
SI-7 (3) System and Information Integrity / Software, Firmware, and Information Integrity Rules can be developed by the administrator to monitor the Service Attributes such
/ Centrally Managed Integrity Tools as: Permissions; Owner; Group; BinaryPathName; Description; State; StartType;
LogOnAs; FirstFailure; SecondFailure; SubsequentFailures; ResetFailCountAfter;
The organization employs centrally managed integrity verification tools. RunProgram; DependsOn; LoadOrderGroup; ProcessID; and Changes to registry
Supplemental Guidance: Related controls: AU-3, SI-2, SI-8. service keys.
The Deep Security Agent and Deep Security Manager components use a SHA256
checksum when the components are downloaded from the Trend Micro product
SI-7 (5) System and Information Integrity / Software, Firmware, and Information Integrity P1 download web site.
/ Automated Response to Integrity Violations H
The information system automatically [Selection (one or more): shuts the information CNSSI
system down; restarts the information system; implements [Assignment: organization-
defined security safeguards]] when integrity violations are discovered.
Supplemental Guidance:
Organizations may define different integrity checking and anomaly responses: (i) by type of
information (e.g., firmware, software, user data); (ii) by specific information (e.g., boot
firmware, boot firmware for a specific types of machines); or (iii) a combination of both.
Automatic implementation of specific safeguards within organizational information systems
includes, for example, reversing the changes, halting the information system, or triggering
audit alerts when unauthorized modifications to critical security files occur.

SI-7 (8) System and Information Integrity / Software, Firmware, and Information Integrity
/ Auditing Capability for Significant Events CNSSI
The information system, upon detection of a potential integrity violation, provides the
capability to audit the event and initiates the following actions: [Selection (one or more):
generates an audit record; alerts current user; alerts [Assignment: organization-defined
personnel or roles]; [Assignment: organization-defined other actions]].
Supplemental Guidance:
Organizations select response actions based on types of software, specific software, or
information for which there are potential integrity violations. Related controls: AU-2, AU-6,
AU-12.

Document TMIC-004-N Version 2.0 September 2015 24


NIST SP 800-53 r4 Control Priority & Trend Micro Solution Compliancy
Baselines

SI-7 (13) System and Information Integrity / Software, Firmware, and Information Integrity The Deep Security solution supports compliance to this requirement by providing a
/ Code Execution In Protected Environments series of security mechanisms in the physical or virtualized environment, which can
The organization allows execution of binary or machine- executable code obtained from be configured to provide the isolation required from other systems environments, such
sources with limited or no warranty and without the provision of source code only in as Dev/Test/Production, to run binaries from sources with limited or no warranty and
without the availability of the source code.
confined physical or virtual machine environments and with the explicit approval of
[Assignment: organization-defined personnel or roles].
Supplemental Guidance:
This control enhancement applies to all sources of binary or machine-executable code
including, for example, commercial software/firmware and open source software.

Document TMIC-004-N Version 2.0 September 2015 25

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy